Android Apps Open to Exploits Even without Permission in Android 4.0 ICS

Android apps even without permissions, can access data which could pose a security threat. researcher Paul Brodeur of Leviathan Security created an app that was able to find out all sorts of information about an Android device even without permission.

Brodeur created a ''No Permissions'' Android app that explores what data is available can be harvested from an Android device even when the installed app has no permissions. The app was able to harvest data, open a browser and send the data over the web.

Information stored on microSD card can be read even Open VPN certificates.

Th app read the /data/system/packages.list file to determine what apps are currently installed on the device which can be scanned to so show a list of installed apps and a list of any readable files then read some files belonging to other apps.

Even with no permission Brodeur was able grab identifiable information about the device itself, most importantly the Android ID.

The app could not read the IMEI or IMSI, however the GSM & SIM vendor IDs can still be read. The /proc/version pseudofile, which reveals the kernel version and possibly the name of the custom ROM installed, can also be read. The Android ID, is a 64-bit number randomly generated when a device is first booted and remains constant thereafter.

Without any permissions: the URI ACTION_VIEW Intent opens a browser. he found that the app is able to launch the browser allowing for transmission of large amounts of data by creating successive browser calls.

The app was tested against Android 4.0.3 and Android 2.3.5. What can you? We suggest that you monitor your data, to see if it being used by apps as well as don't use any apps from unknown sources. The in-app advertising also collects data.

If an app contains many ads, it may not be worth using because it is using you your data plan. Apps that run without access the net will be the most data efficient.

In fact, most free apps scan for data. Research showed that ads in Android apps are risky business for privacy and security. Free apps drain batteries faster because 75% of an app's energy consumption was spent on powering advertisements.

Security expert Robert Sciiliano was able to find all sorts of information on Android phones bought on Craigslist including porn.